GRN2-xx: Allow SAFE_HOSTS to be left blank (#1545)

* Allow SAFE_HOSTS to be left blank * a different approach Co-authored-by: jfederico <jesus@123it.ca>
2020-05-08 15:25:24 -04:00 · 2020-05-08 15:25:24 -04:00 · f47d68ea18
parent 0806bf4e58
commit f47d68ea18
2 changed files with 4 additions and 14 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -48,9 +48,8 @@ class ApplicationController < ActionController::Base
  # Block unknown hosts to mitigate host header injection attacks
  def block_unknown_hosts
    return unless Rails.env.production?
-    valid_hosts = ENV["SAFE_HOSTS"]
-    return raise UnsafeHostError, "SAFE_HOSTS not set in .env" if valid_hosts.blank?
-    raise UnsafeHostError, "#{request.host} is not a safe host" unless host_is_valid(valid_hosts)
+    return if config.hosts.blank?
+    raise UnsafeHostError, "#{request.host} is not a safe host" unless config.hosts.include?(request.host)
  end

  # Force SSL
@ -261,15 +260,4 @@ class ApplicationController < ActionController::Base
      end
    end
  end
-
-  def host_is_valid(hosts)
-    hosts.split(",").each do |url|
-      # convert to regex
-      reg_url = url.gsub(".", "\\.")
-      sub_url = reg_url.gsub("*", ".{1,}")
-
-      return true if request.host.match(sub_url)
-    end
-    false
-  end
 end
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@ -155,4 +155,6 @@ Rails.application.configure do

  # Set the relative url root for deployment to a subdirectory.
  config.relative_url_root = ENV['RELATIVE_URL_ROOT'] || "/b" if ENV['RELATIVE_URL_ROOT'] != "/"
+
+  config.hosts = ENV['SAFE_HOSTS'].presence || nil
 end